The affected ASUS routers suffer from insecure default configuration for Anonymous users, once anonymous access in enabled. Write access is enabled for all directories in the attached storage by default. Furthermore, the administrator is not able to restrict read or write access for any specific directories on attached storage devices.Impact

The anonymous FTP user can write arbitrary files to the attached storage device.2. FTP users can access certain system files when Download Master is installed

Description

The affected routers suffer from a vulnerability relating to symlinks and weak permissions for FTP Users, including the Anonymous FTP User. Users are able to gain limited access to certain system files and directories when Download Master is installed.

Impact

The attacker can read certain system files via FTP.

3. FTP users can read all system files, and retrieve an unsalted root password hash, when Download Master is installed

Description

The affected routers suffer from a vulnerability relating to symlinks and weak permissions for FTP Users, including the Anonymous FTP User. Users are able to access all system files and directories, including /etc. This vulnerability leads to SSH / admin interface access due to the exposure of the Lighttpd password stored as an unsalted MD5 hash - this password is automatically created by copying the root user’s existing credentials for SSH / Administrative Interface access.

Legend:
Condition A: When Download Master is installed
Condition B: When read access for the ASUSWARE.ARM USB directory had already been granted to any other FTP user at the time the anonymous user account was enabled
Condition C: When read access for the ASUSWARE.ARM USB directory has been granted to the current FTP user

User

Conditions

Anonymous

FTP User Accounts

Condition A

Condition B

Condition C

x

x

x

x

x

x

Impact

The attacker gains access to all system files, including /etc/passwd. Exposure of unsalted MD5 lighthttpd password hash, which is automatically created by copying the root user’s credentials for SSH / Administrative Interface accessProof of concept

A complete PoC exploit script will be released after public disclosure. The script leverages an anonymous user account, or a valid FTP user account, retrieves and cracks the root password hash, and attempts to spawn an SSH shell in the context of the root user.

The affected routers suffer from a vulnerability relating to symlinks and weak permissions for FTP Users, including the Anonymous FTP User. Users are able to overwrite arbitrary files, including system files. This vulnerability leads to SSH / admin interface access due to the exposure of the Lighttpd password stored as an unsalted MD5 hash - this password is automatically created by copying the root user’s existing credentials for SSH / Administrative Interface access.

Legend:
Condition A: When Download Master is installed
Condition B: When write access for the ASUSWARE.ARM USB directory had already been granted to any other FTP user at the time the anonymous user account was enabled
Condition C: When write access for the ASUSWARE.ARM USB directory has been granted to the current FTP user

User

Conditions

Anonymous

FTP User Accounts

Condition A

Condition B

Condition C

x

x

x

x

x

x

Impact

The attacker gains write privileges to all system files, including /etc/passwd and /etc/shadow.Proof of concept

AiCloud suffers from sensitive file exposure. Authenticated users are able to access sensitive files, including password and configuration files, via a directory traversal bug in AiCloud’s AiDisk server.
This vulnerability can lead to SSH/admin interface access as a result of unsalted MD5 hashed password disclosure. Note: unauthenticated users can exploit this issue whilst impersonating an administrative user via TJA-ASUS-06)Impact

AiCloud suffers from a session management flaw. If the attacker has the same external network (or is on the same local network), they can spoof their User-Agent to match the admin’s User-Agent, and by doing so impersonate the Admin user. This is only possible while the Admin has an active session. Note: This vulnerability can lead to SSH/admin interface access as a result of unsalted MD5 hashed password disclosure, as per issue TJA-ASUS-05Impact